CISA Warns: Craft CMS Code Injection Vulnerability Exploited

Confirmed active exploitation of a critical Craft CMS vulnerability (CVE-2025-32432) has led to its inclusion in the Known Exploited Vulnerabilities catalog.

Security teams and system administrators are advised to address this issue immediately to prevent severe network compromises.

The vulnerability is a severe code injection flaw, categorized under CWE-94, which involves improper control of code generation.

This type of weakness occurs when a software application fails to properly sanitize or validate user-supplied input before interpreting it as executable instructions.

For Craft CMS, a popular and highly customizable content management system widely used by enterprises, this vulnerability poses a significant risk.

It allows a remote, unauthenticated attacker to execute arbitrary code directly on the underlying server.

Once an attacker successfully achieves remote code execution, they can essentially take complete control over the affected application.

This level of access allows threat actors to modify website content, exfiltrate sensitive database records, or establish a persistent backdoor.

Furthermore, a compromised web server can serve as a strategic launching point for lateral pivoting into an organization’s internal network.

By adding CVE-2025-32432 to the KEV catalog on March 20, 2026, CISA has confirmed that threat actors are actively leveraging this flaw in real-world attacks.

At this time, CISA notes that it remains unknown whether this specific vulnerability is being utilized in ongoing ransomware campaigns.

Code injection and remote code execution vulnerabilities remain highly sought-after by threat actors, including state-sponsored groups and initial access brokers. Organizations relying on Craft CMS must treat this as a high-priority threat.

Unpatched content management systems exposed to the internet are highly visible targets. They are likely already being actively scanned and exploited by automated attack tools.

Mitigations

Under Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch agencies are legally mandated to remediate this vulnerability to protect federal networks.

CISA has established a strict compliance deadline of April 3, 2026, for federal agencies to apply the necessary mitigations.

While this directive applies only to government entities, CISA strongly urges all private-sector organizations and global enterprises to adopt the same aggressive patching timeline.

System administrators must immediately apply the latest security updates provided in the vendor instructions.

Organizations should also actively monitor their web access logs for any anomalous behavior or unauthorized administrative access attempts.

If applying the official patch is not immediately feasible, organizations must follow applicable cloud service security guidance or temporarily discontinue use of the vulnerable product until secure mitigations are in place.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.